[Emerging-updates] Weekly Ruleset Update Summary 2/22/2012

Matt Jonkman jonkman at emergingthreats.net
Fri Feb 22 08:26:46 HAST 2013


Quite a week, some great sigs added and modified.

The Mandiant report of course was the big news. We're very glad to say the
majority of malware connected in the report was already covered in ET Open
and Pro rules! Not all of course, so there were a set of new sigs out
Wednesday and Thursday, and some renaming and reference add's to existing.

We definitely would like to give great credit to the Mandiant folks for the
quality of research, and the fact that they pushed it out there in mass to
all. Well done!

So overall this week, the stats:

79 new Open Rules
15 new Pro Subscriber rules

* NOTE: We put every new or modified rule based on the Mandiant report in
the Open ruleset, in the spirit of their generous disclosure of their hard
work, regardless of who did the work on the sig and testing.



[+++]          Added rules:          [+++]

 2016414 - ET CURRENT_EVENTS CoolEK Payload Download (5)
(current_events.rules)
 2016415 - ET WEB_SERVER PHP tag in UA (web_server.rules)
 2016416 - ET WEB_SERVER base64_decode in UA (web_server.rules)
 2016417 - ET TROJAN W32/Vundo.Downloader Reporting User Website Session
Information (trojan.rules)
 2016418 - ET DNS Reply Sinkhole - Dr. Web (dns.rules)
 2016419 - ET DNS Reply Sinkhole - Zinkhole.org (dns.rules)
 2016420 - ET DNS Reply Sinkhole - German Company (dns.rules)
 2016421 - ET DNS Reply Sinkhole - 1and1 Internet AG (dns.rules)
 2016422 - ET DNS Reply Sinkhole - Georgia Tech (1) (dns.rules)
 2016423 - ET DNS Reply Sinkhole - Georgia Tech (2) (dns.rules)
 2016424 - ET TROJAN Win32/Vundo.OD Checkin (trojan.rules)
 2016425 - ET TROJAN Win32.Zbot.ivgw Downloading EXE (trojan.rules)
 2016426 - ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013
(current_events.rules)
 2016427 - ET CURRENT_EVENTS CoolEK Possible Java Payload Download
(current_events.rules)
 2016428 - ET TROJAN Backdoor.Win32.Likseput.B Checkin 2 (trojan.rules)
 2016429 - ET TROJAN Shady Rat/HTran style HTTP Header Pattern Request UHCa
and Google MSIE UA (trojan.rules)
 2016430 - ET TROJAN Trojan-Downloader.Win32.Agent.vhvw Checkin MINIASP
(trojan.rules)
 2016431 - ET TROJAN Win32/Tosct.B UA Mandiant APT1 Related (trojan.rules)
 2016432 - ET TROJAN Likseput.B Checkin (trojan.rules)
 2016433 - ET TROJAN Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8
(trojan.rules)
 2016434 - ET TROJAN Win32/COOKIEBAG Cookie APT1 Related (trojan.rules)
 2016435 - ET TROJAN WEBC2-TABLE Checkin 1 - APT1 Related (trojan.rules)
 2016436 - ET TROJAN WEBC2-TABLE Checkin 2 - APT1 Related (trojan.rules)
 2016437 - ET TROJAN WEBC2-TABLE Checkin 3 - APT1 Related (trojan.rules)
 2016438 - ET TROJAN WEBC2-TABLE Checkin Response - Embedded CnC APT1
Related (trojan.rules)
 2016439 - ET TROJAN Win32/Namsoth.A Checkin/NEWSREELS APT1 Related
(trojan.rules)
 2016440 - ET TROJAN SEASALT HTTP Checkin (trojan.rules)
 2016441 - ET TROJAN SEASALT Client Checkin (trojan.rules)
 2016442 - ET TROJAN SEASALT Server Response (trojan.rules)
 2016443 - ET TROJAN STARSYPOUND Client Checkin (trojan.rules)
 2016444 - ET TROJAN STARSYPOUND Client Checkin (trojan.rules)
 2016445 - ET TROJAN SWORD Sending Sword Marker (trojan.rules)
 2016446 - ET TROJAN TABMSGSQL/Sluegot.C Checkin (trojan.rules)
 2016447 - ET TROJAN WARP Win32/Barkiofork.A (trojan.rules)
 2016448 - ET TROJAN WEBC2-ADSPACE Server Response (trojan.rules)
 2016449 - ET TROJAN WEBC2-AUSOV Checkin Response - Embedded CnC APT1
Related (trojan.rules)
 2016450 - ET TROJAN Backdoor.Win32/Likseput.A Checkin (trojan.rules)
 2016451 - ET TROJAN WEBC2-QBP Checkin Response 1 - Embedded CnC APT1
Related (trojan.rules)
 2016452 - ET TROJAN WEBC2-CLOVER Checkin APT1 Related (trojan.rules)
 2016453 - ET TROJAN WEBC2-CLOVER Download UA (trojan.rules)
 2016454 - ET TROJAN WEBC2-DIV UA (trojan.rules)
 2016455 - ET TROJAN Possible WEBC2-GREENCAT Response - Embedded CnC APT1
Related (trojan.rules)
 2016456 - ET TROJAN WEBC2-KT3 Intial Connection Beacon APT1 Related
(trojan.rules)
 2016457 - ET TROJAN WEBC2-KT3 Intial Connection Beacon Server Response
APT1 Related (trojan.rules)
 2016458 - ET TROJAN WEBC2-RAVE UA (trojan.rules)
 2016459 - ET TROJAN Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related
(trojan.rules)
 2016460 - ET TROJAN WEBC2-CSON Checkin - APT1 Related (trojan.rules)
 2016461 - ET TROJAN Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related
(trojan.rules)
 2016462 - ET TROJAN Fake Virtually SSL Cert APT1 (trojan.rules)
 2016463 - ET TROJAN Fake IBM SSL Cert APT1 (trojan.rules)
 2016464 - ET TROJAN EMAIL SSL Cert APT1 (trojan.rules)
 2016465 - ET TROJAN LAME SSL Cert APT1 (trojan.rules)
 2016466 - ET TROJAN NS SSL Cert APT1 (trojan.rules)
 2016467 - ET TROJAN SERVER SSL Cert APT1 (trojan.rules)
 2016468 - ET TROJAN SUR SSL Cert APT1 (trojan.rules)
 2016469 - ET TROJAN FAKE AOL SSL Cert APT1 (trojan.rules)
 2016470 - ET TROJAN FAKE YAHOO SSL Cert APT1 (trojan.rules)
 2016471 - ET TROJAN WEBC2-UGX User-Agent (Windows+NT+5.x) APT1
(trojan.rules)
 2016472 - ET TROJAN WEBC2-UGX Embedded CnC Response APT1 (trojan.rules)
 2016473 - ET CURRENT_EVENTS Possible DNS Data Exfiltration to SSHD Rootkit
Last Resort CnC (current_events.rules)
 2016474 - ET CURRENT_EVENTS - CommentCrew UGX Backdoor initial connection
(current_events.rules)
 2016475 - ET CURRENT_EVENTS - CommentCrew downloader without user-agent
string exe download without User Agent (current_events.rules)
 2016476 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
get system (current_events.rules)
 2016477 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
html return 1  (current_events.rules)
 2016478 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
sleep (current_events.rules)
 2016479 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
sleep2 (current_events.rules)
 2016480 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
sleep3 (current_events.rules)
 2016482 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
sleep5 (current_events.rules)
 2016483 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
download client.png (current_events.rules)
 2016484 - ET CURRENT_EVENTS - CommentCrew Possible APT crabdance backdoor
base64 head 2 (current_events.rules)
 2016485 - ET CURRENT_EVENTS - CommentCrew Possible APT crabdance backdoor
base64 head (current_events.rules)
 2016486 - ET CURRENT_EVENTS - CommentCrew Possible APT backdoor stage 2
download base64 update.gif (current_events.rules)
 2016487 - ET CURRENT_EVENTS - CommentCrew Possible APT backdoor download
logo.png (current_events.rules)
 2016488 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
get command client key (current_events.rules)
 2016489 - ET TROJAN CBeplay Downloading Design (trojan.rules)
 2016490 - ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class
Request (1) (current_events.rules)
 2016491 - ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class
Request (2) (current_events.rules)
 2016492 - ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class
Request (3) (current_events.rules)
 2016493 - ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class
Request (3) (current_events.rules)



 2806030 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.azue Checkin
(trojan.rules)
 2806031 - ETPRO TROJAN Win32/Ramnit.I UA (trojan.rules)
 2806032 - ETPRO TROJAN Win32.Scar.hhrw POST (trojan.rules)
 2806033 - ETPRO TROJAN Win32/Delf.DF Activity (trojan.rules)
 2806034 - ETPRO TROJAN Trojan-Downloader.Win32.IstBar.q Checkin
(trojan.rules)
 2806035 - ETPRO MALWARE AdWare.Win32.Agent.hzg Checkin (malware.rules)
 2806036 - ETPRO TROJAN Trojan.Win32.Pasta.thg Checkin (trojan.rules)
 2806037 - ETPRO TROJAN Trojan-Banker.Win32.Bancos.ulx Checkin
(trojan.rules)
 2806038 - ETPRO TROJAN Backdoor.Win32.Rbot.ajwo Checkin (trojan.rules)
 2806039 - ETPRO TROJAN Downloader.Win32.FraudLoad.jh Checkin (trojan.rules)
 2806040 - ETPRO TROJAN TROJ_ARCHSMS.B Checkin (trojan.rules)
 2806041 - ETPRO TROJAN Trojan.Generic.KDZ.7051 Checkin (trojan.rules)
 2806042 - ETPRO TROJAN Trojan.Generic.8632390 Checkin (trojan.rules)
 2806043 - ETPRO TROJAN HackTool.Sniffer.WpePro Checkin (trojan.rules)
 2806044 - ETPRO TROJAN W32/QQhelper.C.gen General Downloader User-Agent
(Mozil1a/4.0+(compatible) (trojan.rules)


[///]     Modified active rules:     [///]

 2009486 - ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent
(Windows+NT+5.x) (trojan.rules)
 2011120 - ET MALWARE User-Agent (Save) (malware.rules)
 2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
 2015889 - ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage
landing page (1) (current_events.rules)
 2015985 - ET TROJAN Win32/Kuluoz.B Request (trojan.rules)
 2016016 - ET CURRENT_EVENTS DNS Amplification Attack Inbound
(current_events.rules)
 2016017 - ET CURRENT_EVENTS DNS Amplification Attack Outbound
(current_events.rules)
 2016060 - ET CURRENT_EVENTS CoolEK - Jar - Dec 18 2012
(current_events.rules)
 2016409 - ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload
libarhlp32.dll Second Stage Download POST (current_events.rules)
 2016410 - ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload
libarext32.dll Second Stage Download POST (current_events.rules)


[///]    Modified inactive rules:    [///]

 2804603 - ETPRO TROJAN Lethic.B XOR key (trojan.rules)


[---]         Removed rules:         [---]

 2001596 - ET POLICY Skype VOIP Reporting Install (policy.rules)
 2007748 - ET TROJAN NPRC Malicious POST Request Possible DOJ or DOT
Malware (trojan.rules)
 2801442 - ETPRO TROJAN Backdoor.Win32.Likseput.B Checkin 2 (trojan.rules)
 2803065 - ETPRO TROJAN Win32.Sluegot.A Checkin (trojan.rules)
 2803356 - ETPRO TROJAN Shady Rat/HTran style HTTP Header Pattern Request
UHCa and Google MSIE UA (trojan.rules)
 2803833 - ETPRO TROJAN TrojanDownloader.Win32/Small.XR Checkin
(trojan.rules)
 2804187 - ETPRO TROJAN Win32/Vundo.OD Checkin (trojan.rules)
 2804304 - ETPRO TROJAN Backdoor.Win32/Likseput.A Checkin (trojan.rules)
 2804819 - ETPRO TROJAN Trojan-Downloader.Win32.Agent.vhvw Checkin
(trojan.rules)

-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20130222/72024cd4/attachment.html>


More information about the Emerging-updates mailing list